Univention Bugzilla – Bug 47567
Add SAML service providers to groups
Last modified: 2020-10-29 22:40:57 CET
Currently SAML service providers can only be added to user objects. It would be nice to be able to add them to groups (meaning the included users) as well.
A customer decided to refrain from using SSO for a specific service, because activating the Service Provider for user objects was deemed too much effort.
I want to understand the use case better. How are the users added / modified? Should there be one group for each service? Initial setting of the attribute for many users could be done with multiedit. Adding multiple users to an existing group should be roughly the same effort. When adding users with a udm script, the enabled flags could be set when creating the user.
(In reply to Erik Damrose from comment #2) > I want to understand the use case better. How are the users added / > modified? Should there be one group for each service? > > Initial setting of the attribute for many users could be done with multiedit. > Adding multiple users to an existing group should be roughly the same effort. > > When adding users with a udm script, the enabled flags could be set when > creating the user. The customer has a school scenario. They want to activate a certain Service Provider for just one school. Since they already have groups containing teachers and students for every school, they'd just like to add the service provider to these groups instead of doing a multi edit. Another reason why they don't like the multi edit workaround is bug 47568. But I think even with that resolved they'd still wait for this feature until they use it. I told them about the udm script possibility aswell but they want to manage the SPs themselves later on and want to do it with groups.
Seems like more or less the same use case as in the office365 connector to me. For the customer it is important that he/she can assign it to a group like "Domain Users schoolXY". The customer has a delegated automatical user life-cycle. If the SAML-SP-Attribute will be assigned to the user during creation or will be read "on the fly" isn't important as far as I know.
Requested again from a school customer
https://help.univention.com/t/11071
Requested again below a blog article https://www.univention.de/blog-de/2019/02/how-to-sso-nextcloud/?replytocom=13916#comment-13916
Since 4.4 e205 one can filter users by their group memberships in the Users module. The memberOf overlay must be active for that. Then all users can be selected and a multi-edit can be performed. This workaround does not cover users being added or removed to that group of course. http://errata.software-univention.de/ucs/4.4/205.html
Customer reiterated their desire for this feature. They don't want to use import hooks.
Client 47691 would also like to add SAML service providers to groups. They also don't want to use import hooks.
requested again by a customer (54468)
We would also like to add SAML service providers to groups. We also don't want to use import hooks.
Another customer asked for this
We will definitely need this very soon in the future. Workarounds are currently being built in all kinds of customer projects. Which is complex, and expensive.
4285e5851a Bug #47567: yaml 5c263d2498 Bug #47567: Merge branch 'jbremer/bug47567-samlsp4groups' into 4.4-4 1174cac7a7 Bug #47567: Doku 28a16b5adc Bug #47567: Add saml serviceprovider to groups Successful build Package: univention-saml Version: 6.0.2-41A~4.4.0.202005111505 Branch: ucs_4.4-0 Scope: errata4.4-4 One can now configure SAML service provider per group on the "General" Tab. A new objectClass for groups has been created "univentionSAMLEnabledGroup" and the new attribute "serviceprovidergroup". The univention-saml package has a new listener, which listens to changes of univentionSAMLEnabledGroup, and writes new configured serviceproviders in json format to '/etc/simplesamlphp/serviceprovider_enabled_groups.json', which is then read by saml.
26f8a1947b Bug #47567: update yaml 6f687f18d6 Bug #47567: Chown to samlcgi, dont assume uid, guid I assumed the uid of samlcgi before, The uid, guid of samlcgi is now determined in the listener.
First blackbox test shows that service provider config files are not rewritten on package update. Thus, the json file with the group mapping is written, but never read from the service provider configfile, until the listener rewrites the sp configfile. In previous updates we resynced the listener module to force a rewrite of all sp configfiles, i think it is ok to do this with this update as well -> REOPEN Once the saml config is correct, the requested feature runs as desired. I added a saml sp to the domain users group and the saml login worked, without having to configure each user individually
Package: univention-saml Version: 6.0.2-43A~4.4.0.202005122039 Branch: ucs_4.4-0 Scope: errata4.4-4 7d9a358889 Bug #47567: yaml 9b62c49933 Bug #47567: Resync listener
OK: schema extension, extended attribute on groups OK: docs, i fixed a small typo OK: integration of group check in sp config OK: Test with group with umlauts ("Domänenbenutzer") OK: yaml Reopen: there are some logic errors in the saml-group listener, i sent details in an email
Thanks for the feedback :) fee8c14587 Bug #47567: yaml 8a3f354955 Bug #47567: fix addition/removal of groups to json in group-listener Package: univention-saml Version: 6.0.2-44A~4.4.0.202005141435 Branch: ucs_4.4-0 Scope: errata4.4-4
Created attachment 10367 [details] patch for listener, fixes removing SP from group Removing an SP from a group does not work, please check the attached patch for a possible solution.
Successful build Package: univention-saml Version: 6.0.2-45A~4.4.0.202005181100 Branch: ucs_4.4-0 Scope: errata4.4-4 55296ff071 Bug #47567: yaml update 10998e3e4a Bug #47567: Remove sps
OK: Remove SPs from groups OK: yaml Verified
<http://errata.software-univention.de/ucs/4.4/611.html>
FYI: the new attribute "enabledServiceProviderIdentifierGroup"s syntax is set to ASCII. Therefore SAML SP DN's containing non-ASCII cannot be selected.